Threat hunters have revealed details of a new stealth malware campaign called DEAD#VAX. The campaign combines “disciplined techniques and sophisticated exploitation of legitimate system functionality” to bypass traditional detection mechanisms and deploy a remote access Trojan (RAT) known as AsyncRAT.
“This attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and injection of in-memory shellcode into a trusted Windows process, never dropping the decrypted binary to disk,” Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.
AsyncRAT is an open-source malware that provides attackers with extensive control over compromised endpoints, allowing for monitoring and data collection through keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots.
The infection sequence begins with a phishing email that delivers a virtual hard disk (VHD) hosted on a distributed InterPlanetary Filesystem (IPFS) network. The VHD file is disguised as a purchase order PDF file to deceive the target.
This multi-stage campaign is funded to leverage Windows Script Files (WSF), highly obfuscated batch scripts, and self-analyzing PowerShell loaders to deliver encrypted x64 shellcode. The shellcode in question is AsyncRAT, which is injected directly into a trusted Windows process and runs entirely in memory, effectively minimizing on-disk forensic artifacts.
“Once downloaded, when a user double-clicks to open this PDF-looking file, it mounts as a virtual hard drive,” the researchers explained. “The use of VHD files is a very specific and effective evasion technique used in modern malware campaigns. This behavior illustrates how VHD files can bypass certain security controls.”
A WSF script residing in the newly mounted drive “E:\”, when executed by the victim, drops and executes a hidden batch script, assuming it is a PDF document. This script first performs a series of checks to ensure that it is not running within a virtual or sandbox environment and has the necessary permissions to proceed further.
Once all conditions are met, the script releases the PowerShell-based process injector and persistence module. This module is designed to validate the execution environment, decrypt embedded payloads, set persistence using scheduled tasks, and ultimately inject malware into Microsoft-signed Windows processes (such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe) to avoid writing artifacts to disk.
The PowerShell component lays the foundation for a “stealthy and resilient execution engine” that allows the Trojan to run entirely in memory and blend into legitimate system activity, thereby allowing long-term access to the compromised environment.
To further increase its degree of stealth, the malware controls execution timing and uses sleep intervals to throttle execution to reduce CPU usage, avoid suspicious rapid Win32 API activity, and reduce runtime behavior anomalies.
“Modern malware attacks increasingly rely on trusted file formats, script exploitation, and memory-resident execution to evade traditional security controls,” the researchers said. “Rather than distributing a single malicious binary, attackers are now constructing multi-stage execution pipelines that appear benign when analyzed individually. This change makes detection, analysis, and incident response significantly more difficult for defenders.”
“In this particular infection chain, AsyncRAT’s decision to deliver it as an encrypted, memory-resident shellcode greatly increases its stealth characteristics. The payload never appears on disk in a recognizable executable format, and instead runs within the context of a trusted Windows process. This fileless execution model significantly increases the difficulty of detection and forensic reconstruction, allowing AsyncRAT to operate with less risk of detection through traditional endpoint security controls.”
Source link
